Exploit broker Zerodium announced today its intention to acquire zero-day vulnerabilities in three of the most popular VPN clients for Windows: ExpressVPN, NordVPN, and Surfshark. Founded in 2015, cybersecurity company Zerodium has built a reputation over the years as an exploit buyer for zero-day vulnerabilities. Zerodium then sells them to government and law enforcement.
Zerodium maintains a software bug-detecting program whereby security researchers can receive up to $ 2.5 million for vulnerabilities discovered, depending on their type and nature. In addition, over the years, the company has held so-called temporary vulnerability detection campaigns, during which it offered to purchase exploits for certain software. Zerodium announced another such promotion on Twitter today.
This time, the company intends to acquire exploits for popular Windows VPN apps such as ExpressVPN, NordVPN, and Surfshark. The companies running these applications operate a network of thousands of proxy servers around the world that redirect their customers ‘web traffic to hide the users’ real location. To connect to these networks, users need to install a proprietary VPN client on their computer or other device. That being said, all three aforementioned companies provide apps for all major platforms such as Windows, macOS, Linux, Android and iOS.
We’re looking for #0day exploits affecting VPN software for Windows:
– ExpressVPN
– NordVPN
– SurfsharkExploit types: information disclosure, IP address leak, or remote code execution. Local privilege escalation is out of scope.
Contact us: https://t.co/R6E2CVU9K3
— Zerodium (@Zerodium) October 19, 2021
Zerodium said that it is interested in exploits aimed only at users of Windows applications, allowing to reveal personal information of users, including real IP address, as well as vulnerabilities that allow remote code execution on the user’s computer. The reasons for this interest are quite obvious: VPN services are often used by cybercriminals to hide their real location when connecting to their victims’ networks or infrastructure used for hacking.
Today’s Zerodium announcement has angered many VPN users who care about their privacy. This is not surprising, since it is unclear to whom and for what purpose Zerodium resells exploits. Zerodium did not comment on the announcement, as did ExpressVPN, NordVPN and Surfshark.
If you notice an error, select it with the mouse and press CTRL + ENTER.
